SEC Consult SA-20131003-0 :: Denial of service vulnerability in Citrix NetScaler Oct 03 2013 10:15AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20131003-0 >
title: nsconfigd NSRPC_REMOTECMD Denial of service vulnerability
product: Citrix NetScaler
vulnerable version: NetScaler 10.0 (Build <76.7)
fixed version: NetScaler 10.0 (Build >=76.7)
not affected: NetScaler 10.1 and 9.3
impact: Critical
homepage: http://www.citrix.com
found: 2012-12-10
by: Stefan Viehböck
SEC Consult Vulnerability Lab

Vendor/product description:
"Citrix NetScaler helps organizations build enterprise cloud networks that
embody the characteristics and capabilities that define public cloud services,
such as elasticity, expandability and simplicity. NetScaler brings to
enterprise IT leaders multiple advanced technologies that were previously
available only to large public cloud providers."

"As an undisputed leader of service and application delivery, Citrix NetScaler
solutions are deployed in thousands of networks around the globe to optimize,
secure and control the delivery of all enterprise and cloud services. They
deliver 100 percent application availability, application and database server
offload, acceleration and advanced attack protection. Deployed directly in
front of web and database servers, NetScaler solutions combine high-speed load
balancing and content switching, http compression, content caching, SSL
acceleration, application flow visibility and a powerful application firewall
into a single, easy-to-use platform."

URL: http://www.citrix.com/products/netscaler-application-delivery-controller

Vulnerability overview/description:
A vulnerability was found in the nsconfigd daemon (TCP port 3008 (SSL) and
3010). This daemon can be crashed by sending a specially crafted message.
No prior authentication is necessary. A watchdog daemon (pitboss) automatically
restarts nsconfigd after the first six crashes and then reboots the appliance.
By sending just a few packets the appliance can be kept in a constant reboot
loop resulting in total loss of availability.

Proof of concept:
The nsconfigd daemon can be crashed for six times using the following Python
script. Subsequently the appliance reboots.

Detailed proof of concept exploits have been removed for this vulnerability.

Vulnerable / tested versions:
The vulnerabilities have been verified to exist in Citrix NetScaler VPX (Build
70.7.nc), which was the most recent version at the time of discovery.

Vendor contact timeline:
2013-03-27: Contacting vendor through secure (at) citrix (dot) com. [email concealed]
2013-03-28: Vendor provides encryption key.
2013-03-28: Sending advisory via secure channel.
2013-03-28: Vendor confirms receipt of advisory.
2013-04-08: Requesting status update.
2013-04-19: Requesting status update (again).
2013-04-22: Vendor confirms issues, is "in the process of scheduling required
2013-06-05: Requesting status update.
2013-06-25: Requesting status update (again).
2013-06-25: Vendor is still "in the process of scheduling changes".
2013-08-14: Requesting status update (again) and setting deadline (Oct. 3rd).
2013-09-18: Vendor provides release dates for the update (Oct. 1st and 2nd).
2013-10-03: SEC Consult releases coordinated security advisory.

Update to Citrix NetScaler 10.0 Build 76.7.

Vendor information can be found at:

No workaround available.

Advisory URL:

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2013

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus